VMware Horizon Community
nburton935
Hot Shot
Hot Shot
‎10-28-2019 06:06 AM

Unified Access Gateway - 443 Port Sharing for BLAST

We've been doing 443 port sharing with BLAST for some time now on UAG. I just recently noticed that even when the Blast External URL is set to <hostname>:443, it appears that 8443 is still in use for UDP. TCP is being used on 443 correctly.

I've tested this on both UAG 3.3.1 and 3.7 on Horizon 7.10. I opened a ticket with VMware on this and they essentially said to configure 8443 on the load balancer/firewall as a workaround.

Blast TCP and UDP External URL Configuration Options

According to this, UDP 443 can also be used to access a desktop through the UDP tunnel server. The port configuration is set through the Blast External URL property.

But the table specifically says if you configure 443, then 8443 is used for UDP. Does a forwarding rule of some sort need to be used for UDP-443 to be utilized? Trying to figure out if this is an undocumented bug or expected behavior.

Thanks!

-Nick

Labels (1)
Labels
Tags (1)
0 Kudos
4 Replies
JohnTwilley
Hot Shot
Hot Shot
‎07-06-2020 12:04 PM

Did you ever figure this out?  We also have it setup using 443.

We are wondering if we're experiencing the  same issue, as we can never establish a UDP Blast connection through our UAGs...

0 Kudos
nburton935
Hot Shot
Hot Shot
‎07-06-2020 12:08 PM

Yes, we had to utilize 8443 for UDP on UAG, even if 443 is configured in the Blast URL. Blast URL only seems to set the TCP port. After we created the UDP-8443 VIP, everything began working. Also ensure that 22443 TCP+UDP is allowed between UAG -> agent.

JohnTwilley
Hot Shot
Hot Shot
‎07-06-2020 12:17 PM

Thank You for replying to this old thread!

We have really been scratching our head on this one, as the documentation for using port 443 (instead of 8443) is very limited from VMware.

Many Healthcare and Financial environments have better luck with having 443 opened than 8443, so I'd assumed it would be easier to find information on Pros/Cons.

Your answer really helps, as we are about to perform TCPDumps from the UAGs to see what's happening to the UDP traffic.  (We are running UAG 3.6 devices in case anyone is in the same boat)

0 Kudos
sjesse
Leadership
Leadership
‎07-06-2020 12:25 PM

Look at this if you haven't seen it, its about a slightly different topic, but Mark Benson replies discuss about what works or not with 443

Can BEAT run over a different port than UDP 8443?